CVE-2025-13929
📋 TL;DR
An unauthenticated attacker can cause denial of service on GitLab instances by sending specially crafted requests to repository archive endpoints. This affects all GitLab CE/EE installations running vulnerable versions, potentially disrupting service availability.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability for all users, requiring manual intervention to restore GitLab functionality.
Likely Case
Temporary service degradation or outages affecting repository access and CI/CD pipelines.
If Mitigated
Minimal impact with proper rate limiting, WAF rules, and network segmentation in place.
🎯 Exploit Status
Exploitation requires crafting specific HTTP requests to archive endpoints; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.7.6, 18.8.6, or 18.9.2
Vendor Advisory: https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to patched version via package manager (apt/yum) or Omnibus. 3. Run 'gitlab-ctl reconfigure'. 4. Restart GitLab services.
🔧 Temporary Workarounds
Rate Limit Archive Endpoints
allConfigure rate limiting on /archive endpoints to prevent DoS attacks
# Configure in GitLab nginx config or external WAF
Restrict Archive Access
linuxLimit archive endpoint access to authenticated users only via firewall rules
# Example iptables rule: iptables -A INPUT -p tcp --dport 80 -m string --string "/archive" --algo bm -j DROP
🧯 If You Can't Patch
- Implement strict rate limiting and monitoring on repository archive endpoints
- Deploy WAF with DoS protection rules targeting /archive paths
🔍 How to Verify
Check if Vulnerable:
Check GitLab version against affected ranges; examine logs for unusual archive endpoint requests.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Confirm GitLab version is 18.7.6+, 18.8.6+, or 18.9.2+; test archive functionality works normally.📡 Detection & Monitoring
Log Indicators:
- High volume of requests to /archive endpoints
- Unusual request patterns to repository archives
- Error logs showing archive processing failures
Network Indicators:
- Spike in traffic to GitLab archive endpoints
- Repeated malformed HTTP requests to /archive/*
SIEM Query:
source="gitlab.logs" AND (url_path="/archive" OR url_path LIKE "/archive/%") AND status_code=500 | stats count by src_ip